Digital innovation is a double-edged sword: while necessary for driving performance, it exposes companies to much greater cyber threats. The COVID-19 pandemic opened even more opportunities for cybercriminals, who adapted their attacks to exploit vaccination mandates, elections, and the shift to hybrid work, while also targeting organizations’ supply chains and networks. With such criminals becoming smarter and more resourceful, cybersecurity is no longer just an IT issue: it is a strategic imperative for the C-suite and government officials.
To understand how companies are addressing these issues and beefing up their cybersecurity defenses, ThoughtLab is conducting a multi-client research program titled Cybersecurity Solutions for a Riskier Digital World. We asked experts and sponsors of the study to offer their perspectives on how the pandemic has affected cybersecurity and the implications for their businesses.
How has the pandemic permanently changed the cybersecurity landscape and agenda for companies?
Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: The pandemic has driven organizations to a more dispersed and distributed employee model as well as exposing supply chain dependencies. For many companies, the risk equation has changed for the worst, driven by a dynamic threat environment that has increased in frequency, intensity, and sophistication.
Larry Clinton, President/CEO Internet Security Alliance: The pandemic has altered cybersecurity, although it is far from the most important change. If confined to the pandemic, I would say the most notable change is the evolution of a substantial work-from-home community without adequate consideration of security procedures, which has spurred a tremendous increase in vulnerability for the entire system and a resulting significant increase in cybercrime.
Steve Durbin, CEO, Information Security Forum: The pandemic has resulted in masses of employees working from home long term, personal devices being employed for corporate uses, and spikes in social media usage rates, among other changes, which have broadened the attack surface.
This shift in landscape has required organizations to reprioritize strategic objectives and key risks—e.g., accelerating digital transformation programs and migration to the cloud.
The Internet Organized Crime Threat Assessment (IOCTA) 2021 report highlights that COVID-19 has resulted in a sharp increase in cybercrime. Cybercriminals have been identified to be employing the following attack vectors: malware (e.g., ransomware and mobile malware), payment fraud (e.g., sim-swapping, mobile banking trojans and ATM attacks), social engineering, and phishing.
Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Ransomware and malicious cyberattacks rose significantly during the pandemic and impacted many industries. Demand for cyber talent has increased and the shortage of skilled resources has driven the cost of that talent much higher. As a result of the types of attacks seen, many industries are seeking talent that perhaps before, they thought they could get away without hiring or with hiring one or two resources. Now they realize teams of cyber experts may be needed because these threats are here to stay.
Simon Chassar, Chief Revenue Officer, Claroty Inc: The pandemic affected the cybersecurity industry because of the implications of remote working and isolation from traditional hands-on configurations and installations. The remote office created a need to re-architect or accelerate to secure access service edge (SASE) within Software Defined Wide Area Networking (SD-WAN), with cloud and full corporate security policies for email, data, and access beyond the officer perimeter. This permanently changed the approach and accelerated the need to design in cybersecurity for all solutions; and cybersecurity with COVID became the enabler of digital transformation acceleration—Secure-by-Design. The further need to build in resiliency into business operations has increased the drive to public cloud, multi-cloud, and hybrid cloud, with remote access and software-defined security controls.
Ravi Srinivasan, CEO, Votiro: Cybersecurity is no longer enterprise IT’s jobs. The accelerated digital transformation of back-office processes, rapid application migration to multiple clouds, and modernization of the data platforms have brought the business and security leaders to collaborate on new cyber strategies and execution. The pandemic has changed the landscape, shifting the focus away from infrastructure to data-centric security approaches. As enterprise users have experienced the risks of cyber, there’s heightened awareness of the need to be vigilant. CISOs will prioritize investments in more cloud-native, usable security services—not large security platforms—to enable secure digital business.
Mandy Andress, Chief Information Security Officer, Elastic: The pandemic transformed the role of the CISO virtually overnight – from forcing a shift to remote operations to rethinking how to best support employee productivity. Now that companies have weathered the initial changes, CISOs are reassessing their IT security practices, tools, operations, and employee processes for long-term stability and growth within a distributed environment.
The pandemic has expanded enterprises’ attack surface area, posing greater threat and risk for possible opportunistic or malicious attacks. Ensuring a strong security program in a remote environment will continue to be a top priority in the next few years as we work closely with our peers across the leadership team to build employee awareness of security protocols and invest in appropriate technology to meet the intricate needs of globally distributed organizations.
Gidi Cohen, CEO and Founder, Skybox Security: The reality is that current security practices are not keeping up with the changing security landscape. Attack surfaces grew significantly during the pandemic. Accelerated digital transformation, cloud migration, and increased remote working all contributed to this growth. Further, the pandemic put to test many of the systemic failures of the cybersecurity industry. Organizations are plagued with massive, fragmented networks, decentralized, inconsistent configurations and change management processes, unsafe cloud and network configurations, and the continual increase in vulnerabilities.
As the economy recovered, the great resignation had significant implications for cybersecurity programs. Already resource-constrained, organizations are losing the institutional knowledge and talent needed to run cybersecurity programs effectively. As a result, security organizations suffer from loss productively, inefficiencies, and risk of human error.
Cyber security organizations are making significant changes to address the expanded attack surface, fragmented and complex environments, and loss of talent. They are increasingly focused on moving from reactive approaches to proactive security posture management. Gaining visibility across hybrid, multi-cloud, and OT networks has become a top priority. And they are embracing automation at record levels to optimize workflows, implement changes, and validate network security policies.
What do you see as the biggest cybersecurity challenge that companies will face over the next two years?
Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: As cyberattacks continue to increase in scope and scale, the government is taking a more active role in defining and prescribing new security regulations. In addition, data privacy laws are becoming more rigid and complex. In already regulated sectors, the requirements are increasing even more. Balancing compliance with the day-to-day reality of operational cybersecurity challenges will be a huge challenge.
Larry Clinton, President/CEO Internet Security Alliance: The biggest challenge for companies is that they are being vastly over-matched by the growing sophistication of the attack community. Not only nation-states and state-affiliated attackers but also criminal syndicates are accessing increasingly sophisticated attack methods and technologies that will be very difficult for private firms to compete with.
Steve Durbin, CEO, Information Security Forum: There are three challenges organizations will increasingly face over the next two years:
- Being confident in the level of cyber capability currently protecting the organization, in terms of people, processes, and technology, and whether they ensure risks fall within the organisation’s acceptable risk tolerance.
- Dealing with significant levels of technical debt from legacy systems and proprietary systems. This is a burden to the organization as it can often be more expensive to update an outdated IT estate compared with replacing it completely.
- Meeting the ever-changing and more complex compliance obligations. Upcoming regulations, such as requirements aiming to improve the reporting of cyber incidents to authorities, can distract CISOs, and have implications for incident management teams, resourcing (workforce), and budget allocation.
Simon Chassar, Chief Revenue Officer, Claroty Inc: The biggest cybersecurity challenge will be the continued increase in the sophistication of threats for financial gain across a broad increased and connected threat surface. This means that lateral movement of malware is a real concern. We have seen a huge increase in the volume of malware impacts on industrial environments, from oil and gas and water to healthcare and manufacturing. These environments have been increasing in connectivity in OT and IoT due to automation and optimization of production for efficiency with real-time demands. This has led to an increased and unprotected environment because of legacy systems and unfamiliar protocols. Therefore, I believe that industrial environment protection or cyber-physical systems will be the biggest challenge over the next two years.
Ravi Srinivasan, CEO, Votiro: Remote/hybrid work is here to stay. Security leaders need to focus on protecting digital data and files wherever they are used. This will drive the growing adoption of Security Services Edge, but SSE adoption will hit some operational headwinds as leaders need to address more data risks from the realities of multi-cloud, hybrid IT infrastructures, and usage of more cloud applications.
Ransomware fatigue will increase. Ransomware attacks are here to stay. Crypto is a force to reckon with and, as business leaders debate to pay or not to pay for ransomware incidents, security leaders will shift focus to prevention approaches and outsource the detection and response efforts to managed services providers.
Hyper-digital connections will create more data risks. Digitizing old business processes leads to the use of more supply chain connections, exposing more homegrown applications in the cloud and increasing users’ access to new services from outside the traditional enterprise network. This leads to bad actors exploiting these new digital services, such as weaponizing files used by employees, applications, and data platforms; misconfigurations of application and data platforms in the cloud; more high-profile supply chain exploits; and increased personalized phishing attacks.
Too many security frameworks lead to too many tools in use. Enterprise and security architects will need to rationalize and adopt frameworks based on a business-led security strategy: securing what matters most for the businesses (data and intellectual property) and adopting security as a service.
Mandy Andress, Chief Information Security Officer, Elastic: While the threat of malware, ransomware, and data breaches will only continue to rise, the biggest challenge in front of many security executives is finding the next generation of cybersecurity professionals. While cybersecurity is a technology issue, it’s also a human one and an organization’s employees are the first line of defense.
In its Cybersecurity Workforce Study 2021, industry body (ISC) finds that 2.7 million information security jobs remain unfilled worldwide. While this number is down from 3.1 million in 2020, we’re a long way off where we need to be. In the face of increased digitization and a rising tide of attacks, the current cybersecurity workforce of 4.2 million people globally needs to grow 65% to keep up with the demand for its skills.
In other words, we’re going to need to draw from a wider talent pool to plug the gaps.
Our industry’s over-reliance on specialists with the ‘right’ qualifications and educational backgrounds might actually be a weakness — a point of view reinforced for me by David Epstein’s 2019 book, Range: Why Generalists Triumph in a Specialized World. In the book, Epstein argues that generalists with wide-ranging interests are more creative, more agile, and able to make connections that their more specialized peers can’t see, especially in complex and unpredictable fields – a description that is a good fit for cybersecurity.
Many of the hiring challenges in cybersecurity can be alleviated by taking important steps to diversify the talent pipeline, which not only expands the talent pool but also contributes to a healthier overall cybersecurity culture.
Gidi Cohen, CEO and Founder, Skybox Security: As the economy continues to recover and cybersecurity budgets increase, there will be increasing pressure to develop strategic approaches that increase cybersecurity efficacy and not just tactically react to pressures during the earlier days of the pandemic. Organizations will focus on strengthening their cybersecurity controls, processes, and compliance programs to reduce risk and exposure to cyberattacks. This requires a fundamental shift in mindset from reactive to proactive cybersecurity. Security by design will become the focus and the challenge. Organizations will rethink security architectures to unify and better optimize security across hybrid, multi-cloud, and OT environments. In tandem, security leaders will need to decide how to approach zero trust and address the architectural implications. Secure cloud adoption and migration will continue to be a challenge. Organizations will also need to manage and consolidate fragmented infrastructures that include disparate security products with sub-optimal use. And processes will need to be optimized and automated to avoid catastrophic errors and address resource constraints.